Ransomware groups like Qilin and Hunters International are misusing the legitimate Kickidler employee monitoring software to secretly observe victim behavior, gather credentials, and prepare for encryption attacks.
Cybersecurity firms Varonis and Synacktiv report that attackers delivered Kickidler via a fake RVTools website, where a trojanized version of the tool loaded the SMOKEDHAM backdoor.
Once installed, Kickidler allowed attackers to track keystrokes, capture screens, and collect data without triggering security alerts.
This surveillance enabled access to off-site cloud backups, even when those were isolated from Windows authentication. Following reconnaissance, ransomware payloads were deployed to target VMware ESXi servers, encrypting virtual machines and causing major disruptions.
The abuse of Kickidler follows a broader trend of ransomware actors using legitimate remote monitoring and management tools to gain persistent, covert access to networks.
Read more...